Each URL-matching rule can specify various features of the URLs that will
be matched. For a URL to match the rule, it must match all of the features
that are specified by the rule. The following items can be configured:

Protocol - This specifies the protocol(s) that the
rule will match. Available options are: HTTP, HTTPS, or any.

Host or IP range - This specifies the host(s) that
the rule will match. You can enter a regular expression to match the hostname,
or an IP range in various standard formats, for example 10.1.1.1/24 or 10.1.1-20.1-127.
If the host field is left blank, then the rule can match URLs containing any
host.

Port - This specifies the port(s) that the rule
will match. You can enter a regular expression to match one or more port numbers. If the
port field is left blank, then the rule can match URLs containing any port.

File - This specifies the file portion of the URL
that the rule will match (ignoring any query string). You can enter a regular expression to match
the required range of URL files. If the file field is left blank, then the rule can match
URLs containing
any file.

Often, the easiest way to create a URL-matching rule is to copy the
relevant URL to the clipboard from elsewhere (either your browser or from a
request within Burp), and click the "Paste URL" button on the URL-matching
rule dialog. This will create a rule that matches this URL, and also any
others that have this URL as a prefix (Burp places a wildcard at the end of
the file expression). You can then manually edit the rule if required, to
fine-tune the URLs that are matched.

You can also use the "Load ..." button to load a list of items from a
text file. Each item in list should be either a URL or a hostname, and
Burp will create an appropriate rule for each item.

Support Center

Get help and join the community discussions at the Burp Suite
Support Center.

Tuesday, February 17, 2015

v1.6.11

These issues are not widely understood by security testers or application developers, and real vulnerabilities are quite prevalent in the wild. The impact of the vulnerability is in many cases serious, and equivalent to cross-site scripting (XSS).